Users in an enterprise or corporate environment are often issued or use their own mobile devices to access their enterprise email. An email client is often installed on the device by the user or an information technology (IT) administrator to facilitate access to the user's email. To access email, the user typically must provide a username and password, and in some cases, a two-factor authentication token, to authenticate access to email by his or her mobile device. However, with username and password access to email, the IT administrator can be restricted in his or her ability to limit or control with which mobile devices the user is accessing his or her email.
Limiting access to email to certain mobile devices can be desirable so that an IT administrator can ensure that a user is not accessing his or her corporate email on a device that is unapproved or that is not managed by the IT administrator. For example, an unmanaged device might have unapproved or malicious applications installed on the device that can compromise data security within an enterprise. Accordingly, an IT administrator might wish to restrict access to corporate email to a particular mobile device. The particular device might be a managed device that is owned and issued by the enterprise to the user or a device that is enrolled with a management service. However, some email services might not provide a mechanism to authenticate a mobile device that is accessing a user's email in addition to authenticating the user's identity.